On March 5, 2018, Yahoo! Inc. (Yahoo) announced that it had accepted a proposed settlement in In re Yahoo! Inc. Securities Litigation – a U.S. class action lawsuit launched in the United States District Court for the Northern District of California. The settlement has yet to be approved by the court.

The Yahoo class action was filed in California in January 2017 in response to cyber security breaches experienced by Yahoo. The first, occurring in 2013, involved the theft of names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions from more than 1 billion Yahoo user accounts. The second, occurring in late 2014, involved the theft, allegedly by state-sponsored hackers, of similar data from more than 500 million user accounts.

Yahoo disclosed both cyber security breaches in late 2016. Upon these disclosures, Yahoo's share price dropped. Subsequently, several shareholders launched class action lawsuits, which were eventually consolidated into one proceeding.

The Plaintiffs alleged that, between 2013 and 2016, Yahoo had made materially false and/or misleading statements in its quarterly reports to the Securities and Exchange Commission (SEC). Specifically, the Plaintiffs alleged that Yahoo neglected to disclose that:

  • it had failed to encrypt its users' personal information and/or failed to encrypt its users' personal data with an up-to-date and secure encryption scheme;
  • sensitive personal account information from more than 1 billion users was vulnerable to theft; and
  • a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo's websites and services.

After extensive mediation, the parties agreed to the settlement announced on March 5, 2018. Under the terms of the agreement, Yahoo will settle the claims for $80 million dollars paid to shareholders, but will not admit to violating securities law or misleading investors.

However, one of the named Plaintiffs did not agree to the settlement terms. Yahoo has moved to dismiss the claims being pursued by this non-settling plaintiff.

With increased inter-connectivity, political tensions, and criminal sophistication, entities that safeguard large amounts of customer data, such as financial institutions and technology companies, frequently face more attacks of an increasingly sophisticated nature. Given this and associated risks arising from a data breach, regular reviews of cyber security practices and the adoption of current industry best practices may help to mitigate this risk.

For more on cyber security within the securities context, please refer to our previous postings on the matter:

Only 61% of issuers address cyber security in their risk factor disclosure. Is your company one of them?

More Cyber Security Lessons from the Canadian Securities Administrators

The author would like to thank Samuel Keen, Student-At-Law, for his contribution to this article.


About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.